Child pages
  • Collecting sensitive files from non-UT affiliates

Skip to end of metadata
Go to start of metadata

An updated version of this article is available at





When individuals external to the University need to submit sensitive information to UT, steer clear of using email! For non-UT affiliates who need to send you files of any type, UT Box offers a more secure solution.

Not all types of Confidential (formerly called "Category I") data can be stored on UT Box. Consult our Cloud Services tables for more details.

This article illustrates one way—using UT Box—to collect files from non-UT affiliates securely. This is by no means the only way to do so. If you have questions about the safety of other possible methods, please contact us.

What is UT Box?

UT Box is a cloud-based file storage solution offered at no cost to all UT Austin faculty, staff, and students. Faculty and staff receive 2 TB (2,000 GB) of storage. Files stored on UT Box can be shared both within, and outside of, the University.


Follow these steps to start collecting files from non-UT affiliates in a secure manner. You'll need your EID (to log in to Box) and a website (into which you will embed the Box Upload Widget).

If you don't have access to a website on which you can embed the Box Upload Widget, contact your local technical support staff to learn what options you have for departmental web hosting.

Create a folder

First, you'll create a folder on UT Box into which users will upload their files. To do so, log in to UT Box at and then:

  1. Create a new folder by clicking the New menu, then choosing Folder.

     Click here for screenshot…

  2. Give your folder a descriptive name and, under Collaboration, choose Keep private for now. Then, click OK.

     Click here for screenshot…

Configure the Box Upload Widget

Next, you'll configure a new Box Upload Widget, the component that will allow non-affiliates to take a file of theirs, and put it in the folder you just created.

  1. Right-click on the new folder you've created or click the More menu, then choose Upload Options, then Embed Upload Widget.

     Click here for screenshot…

  2. Customize the given options to your liking, then select and copy the provided HTML snippet that starts with <script src=" Do not click Deactivate. If you like, you can choose Preview this widget to see what your widget will look like.

     Click here for screenshot…

  3. Paste the HTML snippet into the HTML code of your webpage. It will embed a file upload widget into the website.

     Click here for screenshot…

Provide web link to non-affiliates

  1. Provide the URL of the website to the non-affiliates who need to send you files.
  2. Log in to UT Box and the non-affiliates' uploaded files will be inside the folder. You can view or download the files from there.


Just like files received via email or downloaded from the Internet, files received via Box may contain malicious content such as viruses, trojans, worms, or other malware. No verification or sanitization is performed on files received via the Upload Widget.

  • Consider scanning uploaded files with an up-to-date virus scanner (such as FireAMP) before opening them.
  • When handling Microsoft Office documents, make sure macros are disabled. Never enable macros when viewing documents of unknown origin.
  • Only open known or expected file types. If your submissions are expected in PDF (.pdf) or Word (.doc or .docx) format, don't open any .html files.
  • Never open executable files, such as those ending in .exe. Be wary of compressed files, such as .zip or .tar.gz files, which may harbor malicious code.
  • If you don't recognize the file type as being safe, don't open it!

Requiring an email address to upload a file via the Upload Widget does not require that the person uploading it provide a valid address. Just as with email, users may fake their sending address or use the address of someone they are not.

By default, the steps above will result in a folder that is not synchronized with a device using Box Sync. Syncing an uploads-based folder with Box Sync can be risky because deleting or modifying a file in the Box Sync folder (on a computer or mobile device) will delete or modify it on Box (in the cloud), in real time. This could easily lead to unintended changes to uploaded files or the loss of files, affecting all users who have access to the folder. Using Box Sync on folders that accept Upload Widget files may be risky, as well, because new files submitted anonymously by the outside world will automatically propagate to your computer or mobile device, increasing the risk of infection by malware.


Questions about using UT Box?

Questions about campus security policy?


This document includes contributions by Glenn Dembowski, School of Social Work.

Safe icon courtesy of IconLeak.


Copyright © 2016 Information Security Office, The University of Texas at Austin